IETF Logo Mail Archive

Re: [Rats] use case document updates on Roots of Trust

Ira McDonald <blueroofmusic@gmail.com> Mon, 09 September 2019 23:20 UTC

Return-Path: <blueroofmusic@gmail.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29BF91200E3 for <rats@ietfa.amsl.com>; Mon, 9 Sep 2019 16:20:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pm2T2xLeHf8l for <rats@ietfa.amsl.com>; Mon, 9 Sep 2019 16:20:13 -0700 (PDT)
Received: from mail-yw1-xc41.google.com (mail-yw1-xc41.google.com [IPv6:2607:f8b0:4864:20::c41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFCA6120020 for <rats@ietf.org>; Mon, 9 Sep 2019 16:20:13 -0700 (PDT)
Received: by mail-yw1-xc41.google.com with SMTP id f187so5582625ywa.5 for <rats@ietf.org>; Mon, 09 Sep 2019 16:20:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IBs1IObg6tG60TD/Vo5FAIihqeO3LnGKQJ7xxlIUIno=; b=fUDXrGXdT23ZBDXgBZj/WKq/X7xDbF8gLDOjAdejL7HQlAbPr0lDbHH799Mqh5W/OS p55DtP3WdfLpMYfRtIY0E2GbNuHEW0zkBIbbPpcI0vqRCJs89ewOYjHlE62D1ojV9ITb g2Yt+5aGKOaLAtc16h1uitZ8wjo3KQuwj6ZbtYsWSA5Se5IE6GXBeMi8XZOWtQJeBvk3 YBDhNjzlKpRuS3OMBMpQRgcoH7gfOvzxOaiTTAiN1fjvs+Mr26CwBWilwXq2+bHXuekz xixE/q1pckpiJkGskHjX5ogDn5F/9q0EE+PBzBUKZyu4dS85b+NyRvKj4OVG+CiSGnxs d3dA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IBs1IObg6tG60TD/Vo5FAIihqeO3LnGKQJ7xxlIUIno=; b=Zh6tZAJjuZFkUnHir0sBYZuVszk98RrysRqKbJmO0nrr+Pd5g6QtVo42+DN8W3tXVq jHlA/jHqGi711r3tORuOSFsQPwSz3n1R4RpXKHa34OWlIf+JhFzx/mWabinftLZdf9DS P3OEvjlCLjUrOzYQjNWVHUd5HT3Yij3vbmQgbRhWYDg/f72gpIdp+exBSxPdAU6mU1xO mbOYHlW82xEGloFc72z01GStHYPQLhXCXnECXvUbBieCLt17l/BSgZ+V8hLwstX1Ywi6 HQq5mJruFin99QICQkr7Jt8XRE82tigZnipL6vd3CXcyBJaidZWKCFh6z7xpA365pFZg xfDg==
X-Gm-Message-State: APjAAAWDXhMeXYe35u2Iyn9J9P+G+jjOYBT39dzNdZB6elt5l6TaO7kR /vsnAENNotRyIruqjStPk5hl5bLxfQM/5Zto7io=
X-Google-Smtp-Source: APXvYqztv5L8mlb1v7u+vyr2r0moVjDeT6wq3O4SuoEdbhcv17kcYuyqGu5ulmstbEXU5s5OzdwnK6/fnnemt0gbwGM=
X-Received: by 2002:a81:3e17:: with SMTP id l23mr19443316ywa.312.1568071212902; Mon, 09 Sep 2019 16:20:12 -0700 (PDT)
MIME-Version: 1.0
References: <4155.1567948986@dooku.sandelman.ca> <64BD12AA-951A-468A-9F08-D442054605AD@island-resort.com> <de6ff852-062d-805d-3eed-10aca60502b2@sit.fraunhofer.de>
In-Reply-To: <de6ff852-062d-805d-3eed-10aca60502b2@sit.fraunhofer.de>
From: Ira McDonald <blueroofmusic@gmail.com>
Date: Mon, 09 Sep 2019 19:20:02 -0400
Message-ID: <CAN40gStH5jUCJeVggREr3ABoFw7K97F=KtoJOSR_X+LWNLB+JA@mail.gmail.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, Ira McDonald <blueroofmusic@gmail.com>
Cc: rats@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a0afe405922707d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/tjs9tJsGcNPmJcYbRy60MzKHyns>
Subject: Re: [Rats] use case document updates on Roots of Trust
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 23:20:18 -0000

Hi,

Chiming in here.

The TCG is neither the originator of the term "Root of Trust", nor a
particularly good source for RoT definitions.

One might look at this US NIST project on Roots of Trust:

https://csrc.nist.gov/Projects/Hardware-Roots-of-Trust/publications

And especially this SP800-164 document:

https://csrc.nist.gov/publications/detail/sp/800-164/draft

Cheers,
- Ira

Ira McDonald (Musician / Software Architect)
Co-Chair - TCG Trusted Mobility Solutions WG
Co-Chair - TCG Metadata Access Protocol SG
Chair - Linux Foundation Open Printing WG
Secretary - IEEE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof Music / High North Inc
http://sites.google.com/site/blueroofmusic
http://sites.google.com/site/highnorthinc
mailto: blueroofmusic@gmail.com
PO Box 221  Grand Marais, MI 49839  906-494-2434



On Mon, Sep 9, 2019 at 6:49 PM Henk Birkholz <
henk.birkholz@sit.fraunhofer.de> wrote:

> Hi all,
>
> wrt the topic of "roots of trust", on the list a very visible concern
> was highlighted: "the definition [of RoT] defines what they are -not-
> and not what it actually -are-". And I am inclined to agree with that.
>
> My initial and unpolished proposal is this:
>
> "If" we use the spectrum of meanings what "roots of trust" are in RATS,
> we probably have to do two things:
>
> 1.) We maybe should highlight that "Roots of Trust" are a demarcation
> line. There are system components or system components characteristics
> (aka "Claims" that are composed into "Evidence" about "Trustworthiness")
> that an Attester cannot create Evidence about only by itself. It is the
> "rock bottom" that an Attester cannot attest to (because, quoting:
> "their misbehavior cannot be detected"). While that being very true, it
> seems not to be enough of a reason to just exclude them conceptually.
>
> Hence, the only established procedure to "deal" with these roots of
> trust is a third's party endorsement. The consumer of attestation
> results is at its own liberty to put trust into these third party's
> endorsements - or not.
>
> It is an optional Claim Set, typically provided in the form of
> Endorsement Certificates (but there surely are other ways). And these
> methods might simply not be available to an Attester. And if that i that
> case that MUST not be a blocker, especially wrt to the RATS architecture.
>
> I.e. in RATS these Claims about RoT (Endorsements) should be purely
> optional. The architecture should allow to include them. But by any
> means, there should not be prescriptive or a normative MUSTs to provide
> them.
>
> If an Attester is able to provide or refer to such an endorsements of a
> system components capabilities, it should be able to do so. If an
> Attester is not able to provide such third party endorsements, that
> should not be a blocker to conducts RATS. The benefit of having the
> option to provide them is to fuel a framework about "levels of
> confidence" that most likely is out of scope of IETF definitions, but
> would enable other entities to fill that gap in.
>
> 2.) I am proposing that the RATS WG puts some effort in defining what
> "roots of trust" actually do (and not only what they cannot do). That
> would help to create an understanding what they actually mean - a lot.
> And - I think that is important - that might not have to be part of the
> architecture document. Maybe it is an Appendix of it, maybe it is an
> informational draft that complements the architecture document, or this
> content goes alongside with solutions drafts. We don't know yet, I think.
>
> TL;DR
>
> Roots of Trust are relevant. But their upcoming definition and use
> should not stop us from progressing essential corner stone drafts, today.
>
> My understanding is that some use cases really require them, and other
> use cases don't. Neither am I inclined to include them in the
> architecture draft and over-complicate elegant solutions, such as EAT,
> nor am I inclined to exclude them and thereby inhibit established
> solution, such as RIV.
>
> There is some middle ground here, I think. My proposal is to neither
> disregard the system components an Attester is not able to create
> Evidence for by itself, nor to mandate that an Attester can only create
> believable Evidence, if RoT are available. Both options should be
> enabled by the RATS architecture, I think.
>
> Viele Grüße,
>
> Henk
>
>
> On 09.09.19 22:56, Laurence Lundblade wrote:
> > Appreciate you wading into this with something written and concrete.
> >
> > As a thought experiment consider adding this to our RATS definition:
> >
> >     A root of trust may also be a simple unsecured user mode
> >     application, like an Android, Windows or Linux application that
> >     trust has been placed in by a particular attestation system. It is
> >     provisioned with a signing key or such and other capabilities so as
> >     to be able to produce attestation evidence (e.g. signed tokens).
> >       The application may or may not be signed or authenticated.
> >
> >     In a sense, the usual definition of root of trust applies in that it
> >     is something that is unconditionally trusted. In another sense, this
> >     is at odds with the usual conception as it is not anchored in HW or
> >     to any kind of system or boot SW.
> >
> > I assuming this addition is too much at odds with the convention usage
> > and there is no support for RATS adopting this definition. This is one
> > of the main reasons I am asking we not use the term normatively.
> >
> > LL
> >
> >
> >> On Sep 8, 2019, at 6:23 AM, Michael Richardson <mcr+ietf@sandelman.ca
> >> <mailto:mcr+ietf@sandelman.ca>> wrote:
> >>
> >>
> >> We seem to have regular email disputes on terms like Roots of Trust.
> >> I continue to have difficulty with the term. Particularly in the plural
> >> "Roots" form.
> >> As I process edits to the use case document, I got a bunch of text:
> >>
> >>   The TCG Glossary also offers a general definition for Root of Trust “A
> >>   component that performs one or more security-specific functions, such
> as
> >>   measurement, storage, reporting, verification, and/or update. It is
> >> trusted
> >>   always to behave in the expected manner, because its misbehavior
> >> cannot be
> >>   detected (such as by measurement) under normal operation. “
> >>
> >> {I personally find it very difficult to understand the words as other
> >> than an
> >> alias for Trust Anchor, yet it clearly is something else.  It's hard
> >> to make
> >> my neurons pull up a different meaning.  This is probably something that
> >> every RATS document should say clearly upon first using the term, in
> >> order to
> >> ease the impedence mis-match with IETF readers as we get reviews}
> >>
> >> I have included not just Ned Smith's comments about the term Roots of
> >> Trust,
> >> but his survey of the various origins of the term.  I'm sure that this
> >> belongs somewhere else.
> >>
> >> That diff is here:
> >>
> https://ietf.org/rfcdiff?url1=draft-richardson-rats-usecases-04&url2=https://ietf-rats-wg.github.io/ietf-rats-usecases/draft-richardson-rats-usecases.txt
> >>
> >> and commit is:
> >>
> https://github.com/ietf-rats-wg/ietf-rats-usecases/commit/7386e8c0df11ece66e3c95f85d141a639d440e12
> >>
> >>
> >> --
> >> Michael Richardson <mcr+IETF@sandelman.ca
> >> <mailto:mcr+IETF@sandelman.ca>>, Sandelman Software Works
> >> -= IPv6 IoT consulting =-
> >>
> >>
> >>
> >> _______________________________________________
> >> RATS mailing list
> >> RATS@ietf.org <mailto:RATS@ietf.org>
> >> https://www.ietf.org/mailman/listinfo/rats
> >
> >
> > _______________________________________________
> > RATS mailing list
> > RATS@ietf.org
> > https://www.ietf.org/mailman/listinfo/rats
> >
>
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats
>

v2.23.0 | Report a Bug | By Email